
Tracy Ragan
CEO DeployHub, OpenSSF Board Member, CDF TOC Member, Host of Techstrong Women
Santa Fe, New Mexico, United States
Actions
Tracy is a recognized expert in software supply chain security and DevSecOps, specializing in managing complex, decoupled architectures. She is the CEO of DeployHub, a scalable continuous vulnerability management platform that empowers software to 'self-heal' by automatically applying remediations for newly identified vulnerabilities.
Tracy serves on the Governing Board of the Open Source Security Foundation (OpenSSF) as a General Member Representative and is a member of the Technology Oversight Committee at the Continuous Delivery Foundation (CDF). Earlier in her career, she was a founding Board Member of the Eclipse Foundation, where she worked alongside IBM to advance the integrated development environment (IDE) ecosystem.
Links
Area of Expertise
Topics
Mastering the Art of Software Supply Chain Threat Modeling
Implementing software supply chain threat modeling requires both the models and the data. In this session, we will discuss linking data from security reporting, such as SBOMs and CVEs, to the threat models to make them actionable. Software Supply Chain threat modeling requires various types of key data, including but not limited to:
• information about the software components themselves, such as dependencies, versioning, vulnerabilities, and origins;
• data on the development environment, including tools, repositories, and access controls;
• details about the distribution and deployment processes mechanisms and configuration setting;
• information on potential threat actors, their motives, and capabilities.
By analyzing these data points, organizations can better understand the potential risks associated with open-source in their software supply chain and implement appropriate mitigation and continuous monitoring to enhance security. The MITRE Attack Framework, SPDX, OpenSSF Score Card, CoSign, and Ortelius as the central evidence store for tracking threat modeling data will be included in this presentation.
Maintaining Application SBOMs in a Microservices Architecture
Supply chain management speaks to improving security in the software systems we create. At the core of these discussions is the generation of SBOMs and CVE reports. In monolithic architecture, the creation of application SBOMs and CVE reports are done at the CI build step. But how do we manage SBOMs in a microservice environment without a monolithic build?
This presentation will review the supply chain complexities in a microservice architecture with hundreds of run-time dependencies, each having its own SBOM and CVE reports. It will introduce Ortelius, an open-source unified supply chain catalog, incubating at the Continuous Delivery Foundation, that aggregates SBOM and CVE microservice level data up to the consuming ‘logical’ applications. Attendees will learn how they can easily produce application-level supply chain reports that meet new federal security requirements, even in complex cloud-native environments.
Interoperability and The Problem that Open Source is Working to Solve
The CDF Project CDEvents works on creating a common specification for Continuous Delivery, paving the way for establishing interoperability within the ecosystem. With CDEvents, communities, vendors, and end users will be able to make the different tools and technologies such as CI/CD orchestrators, artifact repositories, test frameworks, and security scanners interoperate with each other in a standardized manner. This will essentially enable the organizations to spend less time on integrating the tools with each other and instead focus on value adding activities while achieving scalability, security and sustainability of their pipelines. In this session, we will discuss the problems caused by lack of interoperability within the CD ecosystem, summarize the efforts of the CD Foundation and other open source organizations are taking to solve this problem and provide updates regarding CDEvents project that is gaining significant momentum and adoption.
Implementing Zero Trust Security in Jenkins Pipelines with Open Source Tools
As cyber threats become increasingly sophisticated, the traditional perimeter-based security model no longer suffices. Zero Trust Security offers a modern framework that assumes no entity—user, device, or application—can be trusted by default, emphasizing "never trust, always verify." But how can this framework be applied effectively within automated CI/CD pipelines like Jenkins?
In this talk, we’ll provide a practical introduction to Zero Trust Security, exploring its key principles and the critical role it plays in modern software delivery. Attendees will learn how to integrate Zero Trust practices into Jenkins pipelines using powerful open-source tools. From secrets management to policy enforcement and continuous vulnerability management, this session will provide actionable steps to secure the entire software development lifecycle.
Hermetic Deployments -the Heart of GitOps
‘Buzz word bingo’ often gets in the way of truly understanding new concepts. We have heard the term GitOps but what does it truly mean. At the core of GitOps is a process of creating an airtight deployment process that can be repeated without the potential of human interference . In other words, a single source of truth that can be versioned over time to track changes. In this session, we will explore the basic concept of GitOps and discuss the future direction and challenges of a GitOps methodology.
Implementing Zero Trust in Government Settings: Strategies, Challenges, and Best Practices
With escalating cyber threats and increasing regulatory pressure, government agencies face a critical need to modernize their security strategies. The Zero Trust model—"never trust, always verify"—has emerged as a cornerstone for safeguarding sensitive data and infrastructure. However, implementing Zero Trust in government settings presents unique challenges, including legacy systems, complex compliance requirements, and the need to balance security with operational efficiency. This talk will provide a roadmap for adopting Zero Trust principles in government environments, offering actionable insights to overcome obstacles and ensure mission readiness.
Guardians of Code: Continuously Monitoring Security and DevOps Compliance
With organizations running hundreds of DevOps pipelines, knowing which pipeline complies with security requirements is essential in the fight against software supply chain attacks. The heartbeat of this effort is scrutinizing every pipeline’s journey from SBOM generation through deployment, ensuring each pipeline does what it needs to stand guard. In this session, attendees will learn the essential tools needed to add security to the pipeline and how the Ortelius open-source project continuously monitors a pipeline’s compliance using scorecard reports for each run. Existing integration between Ortelius, Jenkins, Syft, GitHub Actions, SigStore CoSign, and SonarQube will be covered.
Get Control Over Your Microservice Sprawl
Business agility achieved through fault tolerance and auto-scaling is the promise of a modern Kubernetes architecture. And a service-oriented approach is at the center of that promise. Microservices have the potential to revolutionize the way we develop software, but we must manage their use to control their sprawl. This is the focus of Ortelius, a new CDF incubating project that puts organization and control into the use of microservices. Ortelius delivers a centralized catalog of microservice configuration management metadata that allows you to see microservice owners, usage, relationships and ‘blast radius’ even before you deploy with automated updates via your CD Pipeline.
Fortiying Tomorrow’s CD Pipelines: Harnessing the Power of DevSecOps Data Using Ortelius
The first step towards hardening cybersecurity is knowing what your supply chain includes and how it changes hour to hour. SBOMs, CVEs, and software composition analysis tools generate critical security data. However, this critical data is fragmented across siloed DevOps pipelines and containers. Imagine a centralized repository where every piece of evidence related to security, from code analysis to CVEs and deployed inventory, is securely stored and easily accessible to developers and CISO teams. By consolidating evidence, this dynamic approach mitigates risks and transforms security into a proactive force in the quest for digital resilience. In this presentation, attendees will learn why it is important to consolidate this data, how the aggregated data can harden cybersecurity, and how to gather the data using the Ortelius software supply chain evidence store.
From DevOps to DevSecOps: Revolutionizing Supply Chain Security in Decoupled Architectures
Software supply chains are increasingly targeted by sophisticated cyber threats, evolving from DevOps to DevSecOps, which has become essential for safeguarding decoupled architectures. This panel discussion with a diverse group of technologists delves into the critical need for integrating security at every stage of the development process, transforming traditional DevOps practices into a robust DevSecOps approach. This panel discussion will explore the unique challenges posed by decoupled architectures that increase complexity and attack surfaces. Attendees will gain insights into best practices and learn about new Linux Foundation projects, such as Security Slam, Ortelius, Keycloak, OpenSSF Scorecard, and SLSA for fortifying the DevOps pipelines. Join us to learn how to revolutionize your approach to security and maintain the integrity of your software ecosystem in a decoupled world.
Exploring OpenSSF Scorecard and the Ortelius Project to Enhance Open Source Security
As the challenges of securing software supply chains grow, adopting robust and automated security practices is more crucial than ever. OpenSSF Scorecard, developed by the Open Source Security Foundation (OpenSSF), provides a reliable framework for assessing the security posture of open-source projects. Complementing this, Ortelius offers an open-source solution for continuous vulnerability tracking and management, seamlessly integrating with tools like OpenSSF Scorecard and OSV.dev.
Jenkins, as a CI/CD powerhouse, adds another critical layer to this ecosystem, making it an ideal platform for advancing continuous vulnerability management. This talk will showcase how integrating Ortelius and OpenSSF Scorecard into Jenkins pipelines enables teams to automate vulnerability scans, monitor security metrics, and address threats with greater efficiency. Attendees will gain practical insights into leveraging these tools together to build a secure, automated, and resilient software delivery lifecycle.
Fireside Chat: The People, Process, and Technology of GitOps
Join us for a panel discussion probing further into the people, process, and technology of GitOps – including what's next, challenges to culture, and theory versus practical implementation.
DevOps Intelligence and Your Software Supply Chain
It’s no joke, a cloud-native microservice architecture is complex. But it is only complex because we see it through the lens of monolithic development. A paradigm shift in both our development culture and tooling is in order. DevOps Intelligence and the governance of the software supply chain will ferry us across this divide to a new and better way of serving our end users. This session will explore how our culture and pipeline need to shift to support a shared, component-driven architecture for building the software of tomorrow.
DevOps Kitchen with Chef Cristina Bowerman and friends
Put together some DevOps Engineers, a recipe, a bunch of ingredients, and a 30-minute countdown to make a delicious dish in a race against the clock and a Michelin star chef! What could possibly go wrong?
We are engineers, but we are also humans. So, join us for a fun session where we watch some of our beloved DevOps community experts as they get yelled at by celebrity Chef Cristina Bowerman while preparing a dish specially created for swampUP.
And… They may or may not be all wearing pink wigs…
Chaos Engineering - Are We Brave Enough?
Born from Netflix, Chaos Engineering is a site reliability practice of breaking production on purpose. Why would a Site Reliability Engineer (SRE) want to do that? The answer is easy, to make sure they can fix it. That sounds like a crazy radical idea. But to be honest, it might be the best way to guarantee your system’s resilience.
You will learn:
• Basic concepts of chaos engineering
• How Chaos Engineering improves site reliability.
• The cultural shift required to make it all happen.
• Some early insights into chaos engineering practice so you can decide if it is something you want to champion at your organization.
Automating the Human Side of GitOps
GitOps requires many manual steps, from updating .yaml files for each new container image, and managing Pull Requests, Merges and Commits. In this session we will explore moving GitOps to a fully automated DevOps process. We will review the basic architecture of GitOps, how it is managed manually, and how GitOps needs to evolve to be part of the continuous delivery pipeline.
Accelerating the DevSecOps Evolution using CDEvents for a Streamlined Pipeline
In the pursuit of rapid security innovation in the DevOps pipeline, the Continuous Delivery Foundation is working on implementing CDEvents. This talk will explore the transformative approach to achieving fast evolution in the DevOps pipeline so that DevOps and Security teams can easily implement critical security tools such as SBOMs and OpenSSF Scorecard.
Plug-ins, while useful for extending functionality, can often become bottlenecks, introduce dependencies, and complicate maintenance, hindering the agility of the DevSecOps process. Attendees will learn about CDEvents as an alternative strategy and architecture that promotes a more streamlined and resilient pipeline. Key topics will include CDEvents standards, the new “Hero Project’ for building a listener architecture and using Ortelius Open Source as a central evidence store for consolidating critical security data.
The talk will demonstrate how organizations can use CDEvents to successfully transition away from plug-in-heavy environments, leading to faster development cycles, improved system stability, and enhanced ability to respond to changing business needs.
A Dashboard for Actionable OpenSSF Scorecard Insights
OpenSSF Scorecard is a powerful tool for assessing the security health of open-source projects. However, making sense of its vast data and prioritizing improvements can be challenging. This presentation introduces a dashboard designed to visualize and streamline Scorecard insights, providing maintainers and security teams with a clear, actionable view of their project's security posture. Attendees will learn about Ortelius, a CDF Project, that has delivered a dashboard that aggregates key Scorecard metrics, tracking progress over time, and integrates with CI/CD pipelines to enhance automation. By the end of the session, participants will understand how this dashboard can help improve security practices, reduce vulnerabilities, and ensure compliance with industry best practices.

Tracy Ragan
CEO DeployHub, OpenSSF Board Member, CDF TOC Member, Host of Techstrong Women
Santa Fe, New Mexico, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top